RE: Unsigned Windows 2000 Patches

From: Toland, Dave (Dave.Toland@ca.com)
Date: 02/22/02 

From: "Toland, Dave" <Dave.Toland@ca.com>
To: 'Eric' <ews@tellurian.net>, ar@sz.chn.tuv.com, focus-ms@securityfocus.com, security-basics@securityfocus.com
Date: Fri, 22 Feb 2002 10:29:58 -0500

The last time I saw this, I looked at the details. The reason the
signing certificate was being flagged was because the verification
code was unable to find a current revocation list, so was unable to
certify that the certificate was still valid. This means the certificate
source is trusted and the certificate itself is not expired, but that
the software could not guarantee that the Certification Authority had
not issued a revocation for the certificate.

For my part, that was a "good enough" confidence level to proceed
with the installation. But I would never proceed without checking
the reason a signature was flagged.

This does beg the question of why a valid CRL wasn't available though.

-----Original Message-----
From: Eric [mailto:ews@tellurian.net]
Sent: Thursday, February 21, 2002 2:56 PM
To: ar@sz.chn.tuv.com; focus-ms@securityfocus.com;
security-basics@securityfocus.com
Subject: Re: Unsigned Windows 2000 Patches

All security patches are signed. Once you download the file, right click
on it and view properties, you should see a tab for digital signatures.

If you expand the signed package, the files within the patch won't have a
digital signatures tab, however, after you install it, run sigverif.exe and
you can verify that all the files are now signed (the CAT file registers
all the files as signed)

What gave you the error messages below? Had you enabled a security policy
on your system to "not install unsigned drivers"? I've found that this
will usually cause problems as it views the files as unsigned before they
are registered via the CAT file.

At 04:32 PM 2/21/2002 +0800, ar@sz.chn.tuv.com wrote:

>Hi,
>
>Recently, when I try to download patches from Microsoft I get the messages
>"Unknown Software Package", "The Software you are trying to install is not
>signed." "Microsoft cannot guarantee that this software will work with
>Windows." etc.
>
>Is this just temporary or is this the extension of the Mircrosoft
>"We-don't-test-our-software-and-don't-guarantee-it-is-working-and-if-you-us
e-it-you-have-to-blame-only-yourself-Policy"
>
>towards the patches?
>
>What is safer, install no patches or install unsigned patches?
>
>Cheers,
>Andreas

Relevant Pages

  • RE: Unsigned Windows 2000 Patches
    ... certify that the certificate was still valid. ... the reason a signature was flagged. ... Subject: Unsigned Windows 2000 Patches ... on your system to "not install unsigned drivers"? ...
    (Security-Basics)
  • Re: [Full-disclosure] Expired certificate
    ... The world is full of unpatched systems. ... any patches. ... trivial to pick the right certificate for every host and check it ... Hosted and sponsored by Secunia - http://secunia.com/ ...
    (Full-Disclosure)
  • Re: Software Restriction Policies
    ... apply to software restriction. ... with patches and/or new versions without re-applying the certificate? ... Usually hash changes when applying patches unless it does not update the exe ... Internet Zone rules apply to websites. ...
    (microsoft.public.cert.exam.mcse)
  • Re: HotSpot Security
    ... if I get a certificate is expired or not what it is supposed ... patches apple's been issuing. ... There are low level wireless issues ... with mac's and pc's as well that got a lot of press at the security ...
    (alt.internet.wireless)
  • Unable to apply renewal cert from Verisign to IIS4
    ... Running Winnt 4 IIS 4 with all patches. ... install the certificate there is an additional OU from ... Verisign that reads "OU Terms of use at ... original certificate request so the inserted key fails to ...
    (microsoft.public.inetserver.iis.security)